googleprojectzero · gygachad · Apr 23, 2025
diff --git a/custom_net_fuzzer.c b/custom_net_fuzzer.c
@@ -26,17 +26,41 @@ static u8  enable_socket_fuzzing = 0; /* Enable network fuzzing           */
 static u8  is_TCP = 1;                /* TCP or UDP                       */
 static u32 target_port = 0x0;         /* Target port to send test cases   */
 static u32 socket_init_delay = SOCKET_INIT_DELAY; /* Socket init delay    */
-static u8 *target_ip_address = NULL;  /* Target IP to send test cases     */
+static u8* target_ip_address = NULL;  /* Target IP to send test cases     */
 
 
 static SOCKET ListenSocket = INVALID_SOCKET;
 static SOCKET ClientSocket = INVALID_SOCKET;
 
-static void send_data_tcp(const char *buf, const int buf_len, int first_time) {
-    static struct sockaddr_in si_other;
-    static int slen = sizeof(si_other);
-    static WSADATA wsa;
+int connect_to_tcp(char* ip, int port) {
     int s;
+    struct sockaddr_in si_other;
+
+    // setup address structure
+    memset((char*)&si_other, 0, sizeof(si_other));
+    si_other.sin_family = AF_INET;
+    si_other.sin_port = htons(target_port);
+    si_other.sin_addr.S_un.S_addr = inet_addr((char*)target_ip_address);
+
+    /* In case of TCP we need to open a socket each time we want to establish
+        * connection. In theory we can keep connections always open but it might
+        * cause our target behave differently (probably there are a bunch of
+        * applications where we should apply such scheme to trigger interesting
+        * behavior).
+        */
+    if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == SOCKET_ERROR)
+        printf("socket() failed with error code : %d", WSAGetLastError());
+
+    // Connect to server.
+    while (connect(s, (SOCKADDR*)&si_other, sizeof(si_other)) == SOCKET_ERROR)
+        printf("connect() failed with error code : %d", WSAGetLastError());
+
+    return s;
+}
+
+static void send_data_tcp(const char* buf, const int buf_len, int first_time) {
+    static WSADATA wsa;
+    static int s = INVALID_SOCKET;
 
     if (first_time == 0x0) {
         /* wait while the target process open the socket */
@@ -45,39 +69,21 @@ static void send_data_tcp(const char *buf, const int buf_len, int first_time) {
         if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0)
             FATAL("WSAStartup failed. Error Code : %d", WSAGetLastError());
 
-        // setup address structure
-        memset((char *)&si_other, 0, sizeof(si_other));
-        si_other.sin_family = AF_INET;
-        si_other.sin_port = htons(target_port);
-        si_other.sin_addr.S_un.S_addr = inet_addr((char *)target_ip_address);
+        s = connect_to_tcp(target_ip_address, target_port);
     }
 
-    /* In case of TCP we need to open a socket each time we want to establish
-    * connection. In theory we can keep connections always open but it might
-    * cause our target behave differently (probably there are a bunch of
-    * applications where we should apply such scheme to trigger interesting
-    * behavior).
-    */
-    if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == SOCKET_ERROR)
-        FATAL("socket() failed with error code : %d", WSAGetLastError());
-
-    // Connect to server.
-    if (connect(s, (SOCKADDR *)& si_other, slen) == SOCKET_ERROR)
-        FATAL("connect() failed with error code : %d", WSAGetLastError());
-
     // Send our buffer
-    if (send(s, buf, buf_len, 0) == SOCKET_ERROR)
-        FATAL("send() failed with error code : %d", WSAGetLastError());
-
-    // shutdown the connection since no more data will be sent
-    if (shutdown(s, 0x1/*SD_SEND*/) == SOCKET_ERROR)
-        FATAL("shutdown failed with error: %d\n", WSAGetLastError());
-    // close the socket to avoid consuming much resources
-    if (closesocket(s) == SOCKET_ERROR)
-        FATAL("closesocket failed with error: %d\n", WSAGetLastError());
+    while (send(s, buf, buf_len, 0) <= 0) {
+        printf("send() failed with error code : %d", WSAGetLastError());
+        // close the socket to avoid consuming much resources
+        if (closesocket(s) == SOCKET_ERROR)
+            printf("closesocket failed with error: %d\n", WSAGetLastError());
+
+        s = connect_to_tcp(target_ip_address, target_port);
+    }
 }
 
-static void send_data_udp(const char *buf, const int buf_len, int first_time) {
+static void send_data_udp(const char* buf, const int buf_len, int first_time) {
     static struct sockaddr_in si_other;
     static int s, slen = sizeof(si_other);
     static WSADATA wsa;
@@ -93,20 +99,20 @@ static void send_data_udp(const char *buf, const int buf_len, int first_time) {
             FATAL("socket() failed with error code : %d", WSAGetLastError());
 
         // setup address structure
-        memset((char *)&si_other, 0, sizeof(si_other));
+        memset((char*)&si_other, 0, sizeof(si_other));
         si_other.sin_family = AF_INET;
         si_other.sin_port = htons(target_port);
-        si_other.sin_addr.S_un.S_addr = inet_addr((char *)target_ip_address);
+        si_other.sin_addr.S_un.S_addr = inet_addr((char*)target_ip_address);
     }
 
     // send the data
-    if (sendto(s, buf, buf_len, 0, (struct sockaddr *) &si_other, slen) == SOCKET_ERROR)
+    if (sendto(s, buf, buf_len, 0, (struct sockaddr*)&si_other, slen) == SOCKET_ERROR)
         FATAL("sendto() failed with error code : %d", WSAGetLastError());
 }
 
 #define DEFAULT_BUFLEN 4096
 
-CUSTOM_SERVER_API int APIENTRY dll_run(char *data, long size, int fuzz_iterations) {
+CUSTOM_SERVER_API int APIENTRY dll_run(char* data, long size, int fuzz_iterations) {
     if (is_TCP)
         send_data_tcp(data, size, fuzz_iterations);
     else
@@ -115,10 +121,10 @@ CUSTOM_SERVER_API int APIENTRY dll_run(char *data, long size, int fuzz_iteration
 }
 
 static int optind;
-static u8 *optarg;
+static u8* optarg;
 
-int getopt(int argc, char **argv, char *optstring) {
-    char *c;
+int getopt(int argc, char** argv, char* optstring) {
+    char* c;
     optarg = NULL;
     int i = 0;
 
@@ -153,24 +159,24 @@ int getopt(int argc, char **argv, char *optstring) {
 
 void usage() {
     printf("Network fuzzing options:\n\n"\
-    "  -a            - IP address to send data in\n"\
-    "  -U            - Use UDP (default TCP)\n"\
-    "  -p            - Port to send data in\n"\
-    "  -w            - Delay in milliseconds before start sending data\n");
+        "  -a            - IP address to send data in\n"\
+        "  -U            - Use UDP (default TCP)\n"\
+        "  -p            - Port to send data in\n"\
+        "  -w            - Delay in milliseconds before start sending data\n");
     exit(1);
 }
 static int optind;
-static u8 *optarg;
+static u8* optarg;
 
 #define MAX_ARGS 28
 
-char **convert_to_array(char *args, int *argc) {
+char** convert_to_array(char* args, int* argc) {
     int element_id = 0;
     int last_element_offset = 0;
-    char *c = NULL;
+    char* c = NULL;
 
     int length = strlen(args);
-    char **argv = malloc(MAX_ARGS * sizeof (char *));
+    char** argv = malloc(MAX_ARGS * sizeof(char*));
 
     while (args) {
         c = strchr(args, ' ');
@@ -181,7 +187,7 @@ char **convert_to_array(char *args, int *argc) {
         if (len <= 0)
             break;
 
-        char *element = malloc(len);
+        char* element = malloc(len);
         memcpy(element, args, len);
         element[len] = '\0';
 
@@ -210,9 +216,9 @@ CUSTOM_SERVER_API int APIENTRY dll_init() {
     if (!first_time)
         return 1;
 
-    char *args = getenv("AFL_CUSTOM_DLL_ARGS");
+    char* args = getenv("AFL_CUSTOM_DLL_ARGS");
 
-    char **argv = convert_to_array(args, &argc);
+    char** argv = convert_to_array(args, &argc);
 
     if (args == NULL)
         usage();
@@ -249,7 +255,7 @@ CUSTOM_SERVER_API int APIENTRY dll_init() {
         usage();
 
     printf("Ready to begin fuzzing. Target IP= %s, target port = %d\n",
-           target_ip_address, target_port);
+        target_ip_address, target_port);
     first_time = 0x0;
     return 1;
-}
+}